How much does CMMC Level 2 certification cost?

Total CMMC Level 2 certification costs typically range from $150,000 to $500,000 or more, including gap assessment, technology remediation, documentation development, the C3PAO assessment itself, and ongoing annual maintenance. Costs vary significantly based on organizational size and IT complexity.

What is the difference between CMMC Level 1 and Level 2?

Level 1 covers Federal Contract Information with 15 basic practices and annual self-assessment. Level 2 covers Controlled Unclassified Information with all 110 NIST SP 800-171 Rev 2 controls and requires a triennial third-party assessment by an accredited C3PAO for prioritized programs.

What happens if a contractor fails a CMMC assessment?

Contractors who cannot demonstrate the required CMMC level are ineligible for award on solicitations that include CMMC requirements. Additionally, inaccurate self-assessment scores submitted to SPRS can trigger False Claims Act liability, with penalties that extend beyond lost contracts to civil legal exposure.

What is the SPRS affirmation requirement?

A senior company official must digitally sign an annual affirmation in the Supplier Performance Risk System (SPRS) attesting to the accuracy of their CMMC assessment. This signature carries personal and legal accountability under the False Claims Act -- making it a serious governance obligation, not a formality.

Do subcontractors need CMMC certification?

Yes. Prime contractors are legally responsible for ensuring every subcontractor in their supply chain meets the required CMMC level before sharing CUI. Many primes now require SPRS scores of 88 or higher before issuing teaming agreements, making CMMC certification a prerequisite for subcontracting on defense programs.

How long does it take to prepare for a CMMC Level 2 assessment?

Most organizations need 12 to 18 months from initial gap assessment to assessment readiness. This includes scoping the CUI environment, remediating control gaps, building documentation, conducting internal mock assessments, and scheduling a C3PAO. Starting preparation now is essential for the November 2026 Phase 2 deadline.

Can contractors use a Plan of Action and Milestones for CMMC Level 2?

Yes, but with strict constraints. No more than 20% of the 110 controls can be on POA&M, certain critical controls cannot be deferred at all, and all POA&M items must be closed within 180 days of the assessment. Failure to close within that window revokes conditional certification.

Back to Blog

Compliance

CMMC 2.0 Compliance Timeline: Deadlines, Costs, and Preparation Guide

Q: When does CMMC 2.0 Phase 2 begin?

CMMC 2.0 Phase 2 begins on November 10, 2026. This phase mandates third-party C3PAO assessments for contracts involving Controlled Unclassified Information (CUI) on prioritized programs. Contractors should complete gap remediation and schedule assessments well before this date.

The CMMC 2.0 phased rollout is accelerating in 2026. This guide covers the three-level structure, Phase 2 third-party assessment deadlines, cost estimates by level, C3PAO scheduling, supply chain flow-down requirements, and the concrete steps contractors must take now.

Haroon Haider/ CEO, Aliff Solutions

|February 10, 202612 min read

Why Is the CMMC 2.0 Timeline Critical in 2026?

The Cybersecurity Maturity Model Certification (CMMC) 2.0 has moved from policy planning to operational enforcement. Phase 1 began on November 10, 2025, giving the Department of Defense discretion to include Level 1 or Level 2 self-assessment requirements in new solicitations. Phase 2 -- the milestone that mandates third-party assessments for contracts involving Controlled Unclassified Information (CUI) -- begins on November 10, 2026. For contractors handling CUI on defense programs, this date represents a hard qualification gate: without certification, you cannot compete.

This is no longer an IT compliance initiative that can be delegated to a security team. CMMC 2.0 is a business qualification requirement with legal accountability attached. A senior company official must personally attest to assessment accuracy in the Supplier Performance Risk System (SPRS) under penalty of the False Claims Act. The stakes -- lost contract eligibility, civil liability, and supply chain exclusion -- make 2026 the year that CMMC readiness becomes a board-level priority.

"CMMC has transitioned from a 'trust' model to a 'trust but verify' framework. Self-attestation is being replaced by third-party verification, and the consequences of non-compliance extend beyond lost revenue to legal exposure."

What Are the Three CMMC 2.0 Levels?

CMMC 2.0 simplifies the original five-level model to three tiers, each aligned to the sensitivity of information handled and the rigor of assessment required.

Level 1: Foundational

Applies to: Contractors handling Federal Contract Information (FCI) -- essentially all DoD contractors.

Requirements: 15 basic cybersecurity practices derived from FAR 52.204-21, covering fundamental security hygiene such as limiting system access to authorized users, authenticating identities, sanitizing media, and updating malware protection.

Assessment: Annual self-assessment submitted to SPRS with senior official affirmation. No third-party assessment required.

Effective: Phase 1, November 10, 2025.

Level 2: Advanced

Applies to: Contractors handling Controlled Unclassified Information (CUI) on prioritized programs. This is the tier most defense contractors in IT, engineering, logistics, and professional services must achieve.

Requirements: All 110 security controls from NIST SP 800-171 Revision 2, spanning 14 control families including access control (22 controls), identification and authentication (11 controls), system and communications protection (16 controls), and audit and accountability (9 controls).

Assessment: For prioritized CUI programs, a triennial assessment conducted by a CMMC Third-Party Assessment Organization (C3PAO) accredited by the Cyber AB. For non-prioritized CUI programs, DoD may allow self-assessment on a program-by-program basis.

Effective: Phase 2, November 10, 2026 (C3PAO assessments in solicitations).

Level 3: Expert

Applies to: Contractors on the highest-priority DoD programs with the most sensitive CUI, including programs like the Golden Dome initiative's SHIELD vehicle.

Requirements: All 110 NIST 800-171 controls plus 24 enhanced controls from NIST SP 800-172, addressing advanced persistent threat (APT) protections.

Assessment: Government-led assessment conducted by the Defense Contract Management Agency's Defense Industrial Base Cybersecurity Assessment Center (DIBCAC).

Effective: Phase 3, November 10, 2027.

What Is the Complete Phased Rollout Timeline?

CMMC requirements are being inserted into DoD solicitations through a four-phase schedule. Each phase increases the scope and rigor of certification requirements across the defense industrial base.

Phase	Start Date	Requirements	Who Is Affected
Phase 1	November 10, 2025	Level 1 self-assessment or Level 2 self-assessment in applicable solicitations	All DoD contractors (at CO discretion)
Phase 2	November 10, 2026	Level 2 C3PAO assessments required for prioritized CUI programs	Contractors handling CUI on prioritized programs
Phase 3	November 10, 2027	Level 2 C3PAO assessments required more broadly; Level 3 DIBCAC assessments begin	All CUI-handling contractors; highest-priority programs
Phase 4	November 10, 2028	Full implementation across all applicable DoD contracts	Entire defense industrial base

The critical planning detail: Most organizations need 12 to 18 months from initial gap assessment to assessment readiness. If your firm handles CUI and you have not begun preparation, the Phase 2 deadline is already inside your preparation window. Scheduling a C3PAO assessment in Q3 or Q4 of 2026 will become increasingly difficult as demand surges ahead of the November deadline.

How Much Does CMMC Certification Cost?

CMMC readiness requires significant investment, and costs vary substantially based on organizational size, IT complexity, and the current state of cybersecurity maturity. The following estimates reflect industry ranges reported across multiple compliance advisory firms.

Cost Estimates by CMMC Level

Cost Category	Level 1 (Self-Assessment)	Level 2 (C3PAO Assessment)	Level 3 (DIBCAC Assessment)
Gap assessment	$5,000 - $15,000	$15,000 - $50,000	$25,000 - $75,000
Technology remediation	$10,000 - $50,000	$50,000 - $250,000+	$100,000 - $500,000+
Documentation development	$5,000 - $15,000	$20,000 - $75,000	$40,000 - $120,000
Security tools and monitoring	$3,000 - $15,000/year	$12,000 - $60,000/year	$25,000 - $100,000/year
Third-party assessment	N/A (self-assessment)	$30,000 - $100,000+	Government-led (no direct fee)
Ongoing maintenance	$5,000 - $20,000/year	$30,000 - $80,000/year	$50,000 - $150,000/year
Estimated Total (Year 1)	$25,000 - $95,000	$150,000 - $500,000+	$250,000 - $800,000+

Important: These costs are allowable and allocable as indirect costs on DoD contracts. Contractors should factor CMMC compliance investment into their indirect rate structures rather than treating it as a one-time capital expense.

Hidden Cost Drivers

Several factors can push costs significantly above baseline estimates:

Scope of CUI environment: The more systems, applications, and data flows that touch CUI, the more controls must be implemented and assessed. Minimizing your CUI boundary through network segmentation and dedicated enclaves is the single most effective cost reduction strategy.
Legacy infrastructure: Organizations running outdated systems that cannot support modern security controls face substantial technology refresh costs.
Multi-site operations: Each physical location handling CUI must be assessed, multiplying both remediation and assessment costs.
Supply chain flow-down: Ensuring subcontractor compliance adds management overhead and may require providing compliance support to smaller partners.

What Are the SPRS and Annual Affirmation Requirements?

The Supplier Performance Risk System (SPRS) is the central repository where contractors submit their CMMC assessment results. Two aspects of SPRS make it a governance priority rather than a routine filing.

The Self-Assessment Score

For Level 1 and Level 2 self-assessments, contractors calculate and submit a score based on their implementation status across all applicable controls. For Level 2, the maximum score is 110 (one point per NIST 800-171 control fully implemented). Each unimplemented control reduces the score by its weighted value.

In practice, prime contractors are increasingly using SPRS scores as a screening tool for subcontractor selection. Many primes now require a minimum SPRS score of 88 out of 110 before issuing teaming agreements -- creating a competitive threshold that goes beyond the minimum CMMC requirement.

Senior Official Affirmation

After each assessment, a senior company official must digitally sign an annual affirmation in SPRS attesting that the assessment accurately reflects the organization's cybersecurity posture. This is not a delegation-friendly task. The signatory is personally and legally accountable under the False Claims Act for the accuracy of the submission.

The Department of Justice has already used the False Claims Act to pursue contractors who submitted inaccurate NIST 800-171 self-assessment scores. This enforcement history means that overreporting compliance -- whether through negligence or intentional misrepresentation -- carries concrete legal risk.

How Does the Supply Chain Flow-Down Requirement Work?

CMMC 2.0 extends beyond the prime contractor to the entire supply chain. Prime contractors are legally responsible for ensuring that every subcontractor who handles CUI meets the required CMMC level before data is shared. This flow-down requirement creates a cascading compliance obligation.

What this means for primes:

You must verify subcontractor CMMC status before awarding subcontracts involving CUI
Your subcontractor management processes must include CMMC screening criteria
Non-compliant subcontractors in your supply chain create risk for your own certification status

What this means for subcontractors:

Your CMMC readiness directly affects your ability to win subcontract work
Primes are screening more aggressively -- many will not wait for Phase 2 to require compliance evidence
Firms that achieve Level 2 certification early gain a competitive advantage in teaming and subcontracting

"The supply chain flow-down requirement means CMMC is not just about your own compliance. Primes are building supply chains of certified partners, and firms without certification are being excluded from teaming opportunities now -- not in November."

What Are the Preparation Steps for November 2026?

With the Phase 2 deadline inside the typical 12-to-18-month preparation window, contractors should be executing -- not planning -- the following steps.

Step 1: Scope and Minimize Your CUI Environment

Define exactly where CUI lives in your organization. Map every system, application, network segment, and data flow that touches CUI. Then minimize that boundary aggressively:

Segment CUI into a dedicated enclave separate from your general IT environment
Use FedRAMP-authorized cloud services (Microsoft GCC High, AWS GovCloud) for CUI processing and storage to inherit cloud provider controls
Implement data loss prevention to prevent CUI from spreading beyond the defined boundary

Every system in scope must meet all 110 controls. A smaller boundary means lower cost and less assessment risk.

Step 2: Conduct a Structured Gap Assessment

Evaluate current implementation against each of the 110 NIST SP 800-171 Rev 2 controls. For each control, document whether it is fully implemented (with evidence), partially implemented (with specific gaps identified), or not implemented. A thorough gap assessment typically reveals 30 to 60 gaps for organizations that have followed informal cybersecurity practices but have not conducted a structured NIST 800-171 review.

Step 3: Prioritize and Execute Remediation

Not all gaps are equal. Prioritize remediation by:

Controls that cannot be on POA&M: These must be fully implemented before assessment. The CMMC assessment guide specifies which controls are ineligible for deferral.
Controls with the greatest risk reduction: Access control, multi-factor authentication, encryption, and audit logging provide the highest security value per implementation effort.
Controls with the longest lead time: Technology purchases, network architecture changes, and staff training programs require months to execute.

Step 4: Build Assessment-Ready Documentation

Documentation is where assessments succeed or fail. Your minimum documentation package includes:

System Security Plan (SSP): Detailed, specific implementation statements for each control -- not template language, but your actual environment
Plan of Action and Milestones (POA&M): For controls not yet fully implemented, with realistic timelines (all items must close within 180 days)
Policies and procedures: Formal, written policies for each of the 14 control families
Evidence artifacts: Logs, screenshots, configuration files, and training records demonstrating control implementation

Step 5: Conduct Mock Assessments

Before engaging a C3PAO, conduct at least one internal mock assessment using the CMMC Assessment Guide from the Cyber AB. Many organizations also engage a Registered Practitioner Organization (RPO) for an independent pre-assessment. A mock assessment identifies documentation gaps, weak implementation evidence, and procedural issues before they become findings in the official assessment.

Step 6: Select and Schedule a C3PAO

C3PAOs are listed on the Cyber AB Marketplace. When selecting an assessor:

Verify their accreditation status is current
Ask about experience with organizations of your size and industry sector
Understand the timeline from scheduling to final report delivery
Schedule as early as possible -- Q3 and Q4 2026 availability will tighten significantly as the Phase 2 deadline approaches

What Happens If You Are Not Ready by November 2026?

The consequences of non-compliance are both immediate and compounding:

Contract ineligibility: You cannot be awarded contracts that include CMMC requirements at your required level. As phased implementation expands through 2028, this affects an increasing share of DoD procurements.
Supply chain exclusion: Primes building compliant supply chains will bypass non-certified subcontractors in favor of certified alternatives.
False Claims Act exposure: Inaccurate self-assessment scores or affirmations can trigger civil liability under the False Claims Act. The DOJ has established precedent for enforcement.
Competitive disadvantage: Early-certified firms will capture teaming positions and subcontract awards while competitors are still preparing.

The cost of achieving CMMC readiness is substantial. The cost of not achieving it -- measured in lost contract eligibility, supply chain exclusion, and potential legal liability -- is substantially higher.

How Does CMMC 2.0 Relate to the Broader 2026 Regulatory Environment?

CMMC does not exist in isolation. The broader regulatory shifts of 2026 amplify its importance:

The FAR Overhaul has increased contracting officer discretion, and COs are using that discretion to require CMMC compliance earlier and more broadly than the minimum phased timeline mandates.
The DOGE efficiency mandate is driving contract consolidation toward major vehicles like SHIELD, where Level 3 CMMC certification is required for the most sensitive work.
The Golden Dome initiative, with its $151 billion SHIELD vehicle, requires CMMC Level 3 for sensitive components -- creating demand for the highest tier of cybersecurity certification in the defense industrial base.
The FY2026 NDAA's threshold changes affect which contractors face full CAS coverage, but CMMC requirements apply regardless of contract value for any work involving CUI.

CMMC readiness is not a standalone compliance project. It is a foundational requirement for participating in the defense market through 2026 and beyond.

Aliff Solutions is designed to help government contractors track compliance requirements, monitor regulatory deadlines, and identify which opportunities in their pipeline require CMMC certification. Our platform surfaces compliance signals alongside competitive intelligence so your team can make informed pursuit decisions. Explore our compliance tracking capabilities or assess your competitive position with our free tools.

Get More GovCon Insights

Subscribe to our weekly newsletter for actionable intelligence on winning government contracts.

Enjoyed this article? Share it.

Written by

Haroon Haider

CEO, Aliff Solutions

Aliff Solutions provides quantitative intelligence for government contractors. Our team combines decades of federal contracting experience with advanced analytics to help you win more contracts.